By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How to solve "New Amazon public certificates no longer chain to the Starfield Class 2 Certification Authorit"

0

I received an email from AWS. “New Amazon public certificates are no longer linked to the Starfield Class 2 certificate authority,” the email read. How can I solve this problem?

1 Answer
-1
  • If you employ browsers, No action needed.

common trust stores such as Mozilla trust store, common platforms such as latest Android, Apple, Microsoft, or Chromium versions, you will not be impacted from this change.

  • If you or your end customers have customized your TLS-initiating application to only trust Starfield C2, you will need to update your trust stores to trust all Amazon CAs [1] instead.

Such applications will otherwise fail to initiate a TLS connection when it encounters the latest Amazon certificate without C2. We continue to cross sign Amazon CAs with Starfield G2 which is owned by Amazon. All popular public browsers and platforms such as Mozilla, Chrome, Windows, Android contain the Amazon and Starfield G2 that we chain up to in our certificates.

As a best practice, it is also strongly recommended to not pin your trust to a certificate that you don’t completely own such as certificates for AWS service API endpoints. You can read OWASP guidance on certificate pinning [3] [4].

[1] https://www.amazontrust.com/repository/
[2] https://aws.amazon.com/blogs/security/acm-will-no-longer-cross-sign-certificates-with-starfield-class-2-starting-august-2024/
[3] https://wiki.mozilla.org/CA/Root_CA_Lifecycles
[4] https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning

AWS
answered a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions